CN116861418A - Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox - Google Patents
Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox Download PDFInfo
- Publication number
- CN116861418A CN116861418A CN202311133695.6A CN202311133695A CN116861418A CN 116861418 A CN116861418 A CN 116861418A CN 202311133695 A CN202311133695 A CN 202311133695A CN 116861418 A CN116861418 A CN 116861418A
- Authority
- CN
- China
- Prior art keywords
- bit
- test program
- test
- execution
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 62
- 230000035515 penetration Effects 0.000 title claims abstract description 43
- 238000010998 test method Methods 0.000 title claims abstract description 15
- 238000012360 testing method Methods 0.000 claims abstract description 76
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000012790 confirmation Methods 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 16
- 239000000758 substrate Substances 0.000 claims 1
- 230000007123 defense Effects 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the disclosure provides a penetration test method, a device, equipment and a storage medium for a 32-bit Windows sandbox, which are applied to the technical field of attack and defense, and the method comprises the following steps: putting the test program into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes; the test program is operated in the sandbox, and is switched from a 32-bit mode to a 64-bit mode in operation, and 64-bit execution codes are executed to perform relevant tests; analyzing the execution condition of the 64-bit execution code, and generating a penetration test report according to the execution condition; and the test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located. In this way, the penetration test for the 32-bit Windows sandbox can be effectively performed.
Description
Technical Field
The disclosure relates to the technical field of computers, and further relates to the technical field of attack and defense, in particular to a penetration test method, a penetration test device, penetration test equipment and a penetration test storage medium for a 32-bit Windows sandbox.
Background
Penetration testing, which is an authorized simulated attack performed on a computer system, is intended to evaluate its security, and is a mechanism provided to prove that network defenses are functioning properly according to an intended plan. This process involves active analysis of the vulnerability, technical defect or vulnerability of the system from a location where an attacker may be present.
The Windows system is commonly configured with a sandbox, the sandbox provides an isolation environment for the malicious code to run, and once the sandbox identifies the malicious code, the sandbox informs the system that the system is no longer running the malicious code. Some malicious code that can escape the Windows sandbox follows and causes some trouble to the user.
Therefore, comprehensive and effective penetration test is required to be performed for the Windows sandbox, and potential risks are timely clarified through a method for simulating malicious attacks, so that relevant personnel can timely make targeted protection measures.
Disclosure of Invention
The present disclosure provides a penetration test method, device, equipment and storage medium for a 32-bit Windows sandbox.
According to a first aspect of the present disclosure, a penetration test method for a 32-bit Windows sandbox is provided. The method comprises the following steps:
putting the test program into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes;
the test program is operated in the sandbox, and is switched from a 32-bit mode to a 64-bit mode in operation, and 64-bit execution codes are executed to perform relevant tests;
analyzing the execution condition of the 64-bit execution code, and generating a penetration test report according to the execution condition; wherein,,
and the test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
In some implementations of the first aspect, the 64-bit execution code includes one or more instructions for performing a test task.
In some implementations of the first aspect, switching from the 32-bit mode to the 64-bit mode in operation includes:
the test program is switched from 32-bit mode to 64-bit mode operation using a first operation mode switching code in the test program.
In some implementations of the first aspect, switching the test program from the 32-bit mode to the 64-bit mode of operation using a first operation mode switching code in the test program includes:
and replacing the related content of the CS segment register in the CPU by using a push instruction and a retf instruction in a first operation mode switching code in the test program to realize the operation of switching the test program from a 32-bit mode to a 64-bit mode.
In some implementations of the first aspect, executing the 64-bit execution code performs the correlation test, including:
and decrypting the 64-bit execution code by using the 64-bit shellcode in the test program, and acquiring a 64-bit related Windows programming interface to enable the 64-bit execution code to perform related test.
In some implementations of the first aspect, analyzing the execution of the 64-bit execution code and generating the penetration test report based on the execution includes:
analyzing the execution condition of 64-bit execution codes;
if the test task completion information fed back by the 64-bit execution code is received, switching the test program from the 64-bit mode to the 32-bit mode by using a second operation mode switching code in the test program; and ending in 32-bit mode with a program end code;
and generating a penetration test report according to the execution condition of the 64-bit execution code.
In some implementations of the first aspect, switching the test program from 64-bit mode to 32-bit mode operation using the second operation mode switching code includes:
and replacing the related content of the CS section register in the CPU by using a push instruction and a retfq instruction in a second operation mode switching code in the test program, so that the test program is switched from a 64-bit mode to a 32-bit mode for operation.
According to a second aspect of the present disclosure, a penetration test apparatus for a 32-bit Windows sandbox is provided. The device comprises:
the first processing module is used for throwing the test program into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes;
the second processing module enables the test program to run in the sandbox, and switches from a 32-bit mode to a 64-bit mode in operation, and executes 64-bit execution codes to perform relevant tests;
the third processing module analyzes the execution condition of the 64-bit execution code and generates a penetration test report according to the execution condition; wherein,,
and the test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform a method as described above.
In the method, a 32-bit test program embedded with 64-bit execution codes is utilized to perform penetration test on a server where a 32-bit Windows sandbox to be tested is located, so that the security of the server where the 32-bit Windows sandbox to be tested is comprehensively and effectively evaluated in a mode of simulating malicious attack behaviors.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
FIG. 1 shows a flow chart of a penetration test method for a 32-bit Windows sandbox provided by embodiments of the present disclosure;
FIG. 2 shows a block diagram of a penetration testing apparatus for a 32-bit Windows sandbox provided by embodiments of the present disclosure;
fig. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Aiming at the problems in the background art, the disclosure provides a penetration test method, a penetration test device, penetration test equipment and a penetration test storage medium for a 32-bit Windows sandbox.
Specifically, a test program is put into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes; the test program is operated in the sandbox, and is switched from a 32-bit mode to a 64-bit mode in operation, and 64-bit execution codes are executed to perform relevant tests; and analyzing the execution condition of the 64-bit execution code, and generating a penetration test report according to the execution condition. In this way, the server where the 32-bit Windows sandbox to be tested is located can be comprehensively and effectively tested, and meanwhile, the behavior of the malicious software escaping the sandbox can be simulated and analyzed, so that relevant personnel can timely make targeted protective measures.
The following describes the embodiment in detail with reference to fig. 1.
FIG. 1 shows a flow chart of a penetration test method for a 32-bit Windows sandbox provided by embodiments of the present disclosure; as shown in fig. 1, the 32-bit Windows sandbox oriented penetration test method 100 may include the following steps:
s110, putting the test program into a 32-bit Windows sandbox to be tested.
The test program is a 32-bit test program, 64-bit execution codes are embedded, and the 64-bit execution codes are encryption codes.
Specifically, a basic authentication operation is performed with a server where the 32-bit Windows sandbox to be tested is located, after the authentication operation is completed, a test program is put into the 32-bit Windows sandbox to be tested, the test program is a 32-bit test program, 64-bit execution codes are embedded, and the 64-bit execution codes are encryption codes and contain one or more instructions for completing test tasks.
Further, the instructions for completing the test tasks may be any test instructions, such as: local information gathering instructions, scanning instructions, attack instructions, or other penetration test instructions.
According to the embodiment of the disclosure, the 32-bit test program is used for embedded 64-bit encryption execution code to test, so that a test result can be more accurate, and the 64-bit execution code containing one or more instructions for completing a test task is used for testing, so that the test result can be more comprehensive.
S120, the test program is operated in the sandbox, and is switched from the 32-bit mode to the 64-bit mode in operation, and the 64-bit execution code is executed to perform relevant tests.
Specifically, the test program is operated in the sandbox, and the relevant content of the CS section register in the CPU is replaced by a push instruction and a retf instruction in a first operation mode switching code in the test program, so that the test program is switched from a 32-bit mode to a 64-bit mode. Illustratively, if the CS segment register is 0x23, it is indicated to operate in 32-bit mode, and if the CS segment register is 0x33, it is indicated to operate in 64-bit mode; thus, replacing the CS segment register-related content in the CPU may be replacing the CS segment register-related content with 0x33.
Further, the 64-bit shellcode in the test program is utilized to decrypt the 64-bit execution code, and the 64-bit related Windows programming interface is obtained to enable the 64-bit execution code to perform related test.
It can be understood that the 64-bit execution code can automatically execute the related test task according to the preset instruction, and can also return control right to the related test platform after decryption, and the control right can be remotely controlled by a tester of the related test platform to perform remote free test.
According to the embodiment of the disclosure, the 64-bit execution code can complete the test task according to the preset instruction, and also can be remotely controlled by a tester to complete the test task, so that the method is more flexible compared with the traditional test method.
S130, analyzing the execution condition of the 64-bit execution code, and generating a penetration test report according to the execution condition.
Specifically, the execution condition of 64-bit execution code is analyzed; if the test task completion information fed back by the 64-bit execution code is received, switching the test program from the 64-bit mode to the 32-bit mode by using a second operation mode switching code in the test program; and ending in 32-bit mode with a program end code; and generating a penetration test report according to the execution condition of the 64-bit execution code.
Wherein switching the test program from the 64-bit mode to the 32-bit mode operation using the second operation mode switching code includes:
and replacing the related content of the CS section register in the CPU by using a push instruction and a retfq instruction in a second operation mode switching code in the test program, so that the test program is switched from a 64-bit mode to a 32-bit mode for operation. Illustratively, replacing the CS segment register-related content in the CPU may be replacing the CS segment register-related content with 0x23.
Further, the generated test report is sent to the user, so that the user can clearly know the related security problem.
The test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
An example of a test procedure is given below, as follows:
first, it should be noted that:
WOW64 is a mechanism provided by a 64-bit operating system that is compatible with 32-bit programs, which allows the 32-bit programs to execute code in the 64-bit operating system, and WOW64 mechanisms are implemented primarily by 3 dynamically linked libraries, WOW64.Dll, WOW64cpu. Dll, and WOW64win. Dll, respectively.
Ntdll is a core linked library, there are two kinds of 64-bit ntdlls and 32-bit ntdlls in a 64-bit environment, and only one kind of 32-bit ntdlls in a 32-bit environment, but ntdlls in a 32-bit environment and 32-bit ntdlls in a 64-bit environment are different, so we call 64-bit ntdlls in a 64-bit environment ntdll_64_64.dlls hereinafter, and call 32-bit ntdlls in a 64-bit environment ntdlls_64_32.dlls, and call ntdlls in a 32-bit environment ntdlls_32_32.dlls hereinafter, so that distinction is facilitated.
Shellcode is an address independent code, a code that can run at any address.
Second, the steps of writing the required test program can be as follows:
a, 32-bit test program code is written, and the main function of the code is to simulate WOW64 and process details of entering a 64-bit mode.
And B, after the detail processing is finished, writing a first operation mode switching code in the test program, wherein the first operation mode switching code specifically replaces a CS segment register through a push instruction and a retf instruction, so that the CPU enters a 64-bit mode from a 32-bit mode.
And C, writing a 64-bit execution code embedded in the test program, and presetting a test instruction.
And D, writing 64-bit shellcode in the test program, wherein the shellcode is used for decrypting the execution code and acquiring a 64-bit related Windows programming interface.
E, writing a second operation mode switching code in the test program, wherein the second operation mode switching code specifically replaces the related content of a CS section register in the CPU through a push instruction and a retfq instruction, so that the test program is switched from a 64-bit mode to a 32-bit mode for operation.
And F, programming a program ending code for normally ending the test program.
In this embodiment, the written test program is named as b.exe, and after the authentication operation with the server where the 32-bit Windows sandbox to be tested is located is completed, the b.exe is put into the 32-bit Windows sandbox to be tested.
In a 32-bit Windows sandbox to be tested, B.exe releases four dynamic link libraries of wow64.dll, wow64cpu.dll, wow64win.dll and ntdll_64_32.dll under a well-stored 64-bit environment, simultaneously, the four dynamic link libraries are loaded into a process space through a loadlibrary function, a first operation mode switching code is used, the original code flow needing to pass through the ntdll_32.dll is changed into a code flow passing through the ntdll_64_32.dll, after switching, a CreateFile function is called, the flow is transferred into the ntdll_64_32.dll, and due to the existence of a WWW 64 compatibility mechanism, the ntdll_64_32.dll can call functions/codes related to the three dynamic link libraries of the wow64.dll, the wow64.dll and the wowlwin.64.dll, the functions/codes can call the functions/codes needing to pass through the ntdll_32.dll, and the abnormal dynamic link libraries of the 64.dlls are searched for the 64.64.dll under the conditions of the sandbox under the conditions; b.exe creates an empty folder of a specified name on the desktop after the sandbox crashes to indicate that it has successfully escaped from the sandbox; and then, the 64-bit shellcode is used for decrypting the 64-bit execution code to obtain a 64-bit related Windows programming interface, so that the 64-bit execution code executes a preset test instruction to complete the related test task.
Analyzing the execution condition of the 64-bit execution code, and if the test task completion information fed back by the 64-bit execution code is received, switching the B.exe from the 64-bit mode to the 32-bit mode by using a second operation mode switching code; and ends in 32-bit mode with a program end code.
And generating a penetration test report according to the execution condition of the 64-bit execution code, and sending the generated test report to a user.
According to the embodiment of the disclosure, the following technical effects are achieved:
1. the 32-bit test program is embedded with 64-bit encryption execution codes to test, so that a test result is more accurate, and the 64-bit execution codes containing one or more instructions for completing a test task are used to test, so that the test result is more comprehensive.
2. The 64-bit execution code can complete the test task according to the preset instruction, and can also be remotely controlled by a tester to complete the test task, so that the method is more flexible compared with the traditional test method.
3. The behavior of the malicious software escaping from the sandbox can be simulated and analyzed, so that relevant personnel can timely make targeted protective measures.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 2 shows a block diagram of a penetration test apparatus for a 32-bit Windows sandbox according to an embodiment of the present disclosure. As shown in fig. 2, the penetration test apparatus 200 for a 32-bit Windows sandbox may include:
the first processing module 210 puts the test program into the 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and embedded with 64-bit execution code, and the 64-bit execution code is an encrypted code.
The second processing module 220 causes the test program to run in the sandbox and switch from 32-bit mode to 64-bit mode in operation, executing the 64-bit execution code for performing the relevant test.
The third processing module 230 analyzes the execution of the 64-bit execution code and generates a penetration test report according to the execution.
The test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
It can be understood that each module/unit in the 32-bit Windows sandbox oriented penetration test device 200 shown in fig. 2 has a function of implementing each step in the 32-bit Windows sandbox oriented penetration test method 100 provided in the embodiment of the present disclosure, and can achieve the corresponding technical effects thereof, and the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, so that the description is convenient and concise, and will not be repeated herein.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure. As shown in FIG. 3, electronic device 300 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The electronic device 300 includes a computing unit 301 that can perform various appropriate actions and processes according to a computer program stored in a ROM302 or a computer program loaded from a storage unit 308 into a RAM 303. In the RAM303, various programs and data required for the operation of the electronic device 300 may also be stored. The computing unit 301, the ROM302, and the RAM303 are connected to each other by a bus 304. I/O interface 305 is also connected to bus 304.
Various components in the electronic device 300 are connected to the I/O interface 305, including: an input unit 306 such as a keyboard, a mouse, etc.; an output unit 307 such as various types of displays, speakers, and the like; a storage unit 308 such as a magnetic disk, an optical disk, or the like; and a communication unit 309 such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the electronic device 300 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 301 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 301 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 301 performs the various methods and processes described above, such as method 100. For example, in some embodiments, the method 100 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 308. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 300 via the ROM302 and/or the communication unit 309. One or more of the steps of the method 100 described above may be performed when the computer program is loaded into RAM303 and executed by the computing unit 301. Alternatively, in other embodiments, the computing unit 301 may be configured to perform the method 100 by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: display means for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. The penetration test method for the 32-bit Windows sandbox is characterized by comprising the following steps of:
putting the test program into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes;
running the test program in the sandbox, switching from a 32-bit mode to a 64-bit mode in operation, and executing the 64-bit execution code to perform relevant tests;
analyzing the execution condition of the 64-bit execution code, and generating a penetration test report according to the execution condition; wherein,,
and the test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the 64-bit execution code includes one or more instructions for performing a test task.
3. The method of claim 1, wherein the switching from 32-bit mode to 64-bit mode in operation comprises:
and switching the test program from the 32-bit mode to the 64-bit mode by using a first operation mode switching code in the test program.
4. A method according to claim 3, wherein said switching the test program from 32-bit mode to 64-bit mode operation using a first operation mode switching code in the test program comprises:
and replacing the related content of the CS section register in the CPU by utilizing a push instruction and a retf instruction in a first operation mode switching code in the test program so as to realize the switching of the test program from a 32-bit mode to a 64-bit mode.
5. The method of claim 1, wherein said executing the 64-bit execution code performs a correlation test, comprising:
and decrypting the 64-bit execution code by using the 64-bit shellcode in the test program, and acquiring a 64-bit related Windows programming interface to enable the 64-bit execution code to perform related test.
6. The method of claim 1, wherein analyzing the execution of the 64-bit execution code and generating a penetration test report based on the execution comprises:
analyzing the execution condition of the 64-bit execution code;
if the test task completion information fed back by the 64-bit execution code is received, switching the test program from a 64-bit mode to a 32-bit mode by using a second operation mode switching code in the test program; and ending in 32-bit mode with a program end code;
and generating a penetration test report according to the execution condition of the 64-bit execution code.
7. The method of claim 6, wherein switching the test program from 64-bit mode to 32-bit mode operation using a second operation mode switching code comprises:
and replacing the related content of the CS section register in the CPU by using a push instruction and a retfq instruction in a second operation mode switching code in the test program, so that the test program is switched from a 64-bit mode to a 32-bit mode for operation.
8. A penetration test device for a 32-bit Windows sandbox, said device comprising:
the first processing module is used for throwing the test program into a 32-bit Windows sandbox to be tested; the test program is a 32-bit test program and is embedded with 64-bit execution codes, and the 64-bit execution codes are encryption codes;
the second processing module enables the test program to run in the sandbox, and to switch from a 32-bit mode to a 64-bit mode in operation, and executes the 64-bit execution code to perform relevant tests;
the third processing module is used for analyzing the execution condition of the 64-bit execution code and generating a penetration test report according to the execution condition; wherein,,
and the test program executes the operation according to the confirmation instruction of the server where the 32-bit Windows sandbox to be tested is located.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311133695.6A CN116861418B (en) | 2023-09-05 | 2023-09-05 | Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311133695.6A CN116861418B (en) | 2023-09-05 | 2023-09-05 | Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116861418A true CN116861418A (en) | 2023-10-10 |
| CN116861418B CN116861418B (en) | 2023-12-22 |
Family
ID=88236313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311133695.6A Active CN116861418B (en) | 2023-09-05 | 2023-09-05 | Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116861418B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160283716A1 (en) * | 2015-03-28 | 2016-09-29 | Leviathan, Inc. | System and Method for Emulation-based Detection of Malicious Code with Unmet Operating System or Architecture Dependencies |
| CN106462709A (en) * | 2014-01-27 | 2017-02-22 | 克洛诺斯赛博科技有限公司 | Automated penetration testing device, method and system |
| CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
| US9690937B1 (en) * | 2015-03-30 | 2017-06-27 | EMC IP Holding Company LLC | Recommending a set of malicious activity detection rules in an automated, data-driven manner |
| US20180096136A1 (en) * | 2016-10-01 | 2018-04-05 | Michael LeMay | Technologies for object-oriented memory management with extended segmentation |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| US20200183814A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Fuzz testing for quantum sdk |
| US20210200859A1 (en) * | 2019-12-31 | 2021-07-01 | Fortinet, Inc. | Malware detection by a sandbox service by utilizing contextual information |
| CN114205153A (en) * | 2021-12-12 | 2022-03-18 | 中国电子科技集团公司第十五研究所 | Self-adaptive penetration test method for complex defense mechanism |
-
2023
- 2023-09-05 CN CN202311133695.6A patent/CN116861418B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106462709A (en) * | 2014-01-27 | 2017-02-22 | 克洛诺斯赛博科技有限公司 | Automated penetration testing device, method and system |
| US20160283716A1 (en) * | 2015-03-28 | 2016-09-29 | Leviathan, Inc. | System and Method for Emulation-based Detection of Malicious Code with Unmet Operating System or Architecture Dependencies |
| US9690937B1 (en) * | 2015-03-30 | 2017-06-27 | EMC IP Holding Company LLC | Recommending a set of malicious activity detection rules in an automated, data-driven manner |
| US20180096136A1 (en) * | 2016-10-01 | 2018-04-05 | Michael LeMay | Technologies for object-oriented memory management with extended segmentation |
| CN106682494A (en) * | 2016-11-16 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Information access method, device and equipment |
| CN109101815A (en) * | 2018-07-27 | 2018-12-28 | 平安科技(深圳)有限公司 | A kind of malware detection method and relevant device |
| US20200183814A1 (en) * | 2018-12-05 | 2020-06-11 | International Business Machines Corporation | Fuzz testing for quantum sdk |
| US20210200859A1 (en) * | 2019-12-31 | 2021-07-01 | Fortinet, Inc. | Malware detection by a sandbox service by utilizing contextual information |
| CN114205153A (en) * | 2021-12-12 | 2022-03-18 | 中国电子科技集团公司第十五研究所 | Self-adaptive penetration test method for complex defense mechanism |
Non-Patent Citations (7)
| Title |
|---|
| 34R7HM4: "[原创]天堂之门 (Heaven\'s Gate) C语言实现", pages 1 - 19, Retrieved from the Internet <URL:https://bbs.kanxue.com/thread-270153.htm> * |
| JOAKIM KARGAARD 等: "Defending IT systems against intelligent malware", 《2018 IEEE 9TH INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS, SERVICES AND TECHNOLOGIES》, pages 411 - 417 * |
| YUBIN YANG 等: "DroidWard: An Effective Dynamic Analysis Method for Vetting Android Applications", 《CLUSTER COMPUTING》, vol. 21, pages 265, XP055953619, DOI: 10.1007/s10586-016-0703-5 * |
| 孙统计: "基于智能沙盒的安全检测技术分析", 《电子技术与软件工程》, pages 229 - 230 * |
| 林鑫: "基于沙盒的Android恶意软件检测技术研究", 《电子设计工程》, vol. 24, no. 12, pages 48 - 50 * |
| 童瀛 等: "基于沙箱技术的恶意代码行为检测方法", 《西安邮电大学学报》, vol. 23, no. 5, pages 101 - 110 * |
| 红头发蓝胖子: "一文彻底搞懂windows10和11的沙盒(Sandbox)功能及自定义配置沙盒", pages 1 - 14, Retrieved from the Internet <URL:https://zhuanlan.zhihu.com/p/559905922> * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116861418B (en) | 2023-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210326446A1 (en) | Vulnerability Detection Method, Apparatus, Electronic Device and Storage Medium | |
| US20200125730A1 (en) | System and method for vetting mobile phone software applications | |
| Spreitzenbarth et al. | Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques | |
| US10552610B1 (en) | Adaptive virtual machine snapshot update framework for malware behavioral analysis | |
| US9990272B2 (en) | Test case generation for uncovered code paths | |
| Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
| US9438617B2 (en) | Application security testing | |
| US9742804B2 (en) | Computer network defense system | |
| EP3355229B1 (en) | Analysis device, analysis method, and analysis program | |
| US9021596B2 (en) | Correcting workflow security vulnerabilities via static analysis and virtual patching | |
| KR20170096260A (en) | Apparatus for analyzing malicious code based on external device connected usb and method using the same | |
| CN111177720A (en) | Method, device and readable storage medium for generating threat intelligence based on big data | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| CN116861418B (en) | Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox | |
| CN111427737B (en) | Method and device for modifying exception log and electronic equipment | |
| US10200401B1 (en) | Evaluating results of multiple virtual machines that use application randomization mechanism | |
| US11822673B2 (en) | Guided micro-fuzzing through hybrid program analysis | |
| US9703676B2 (en) | Testing application internal modules with instrumentation | |
| CN114640484A (en) | Network security countermeasure method and device and electronic equipment | |
| CN113312626A (en) | System and method for evaluating the impact of software on an industrial automation and control system | |
| Baird et al. | Automated Dynamic Detection of Self-Hiding Behavior | |
| CN112560018A (en) | Sample file detection method and device, terminal equipment and storage medium | |
| CN113139190A (en) | Program file detection method and device, electronic equipment and storage medium | |
| CN111143227A (en) | Data operation method, device, terminal and storage medium | |
| CN110795338A (en) | Automatic testing method and device based on front-end and back-end interaction and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |